This study proposes a network architecture TroyGAN, which can generate adversarial samples for multi-class classifier (such as face recognition system) during training phase. The architecture of TroyGAN is based on GAN, mainly consists three components:
Generator - generate adversarial samples
Discriminator - determine the adversarial sample consist face and able to attack the classifier
Classifier - The multi-classes classifier is supposed to be attacked.

The adversarial sample that generated by TroyGAN  is able to attack the state-of-the-art deep face recognition system, and archive the high attack success rate with black-box attack. Compare with previous studies: 
our adversarial samples is generated by random noise
attack the model during training phase, but not testing phase.

The financial industry currently widely use many of identity recognition, especially in face recognition related applications, such as remote account opening etc. In future, the deep recognition system will be the main framework. By the way, its security should be consider from the perspective of security, thus TroyGAN can be used to simulate this type of attack, to increase the robustness of deep model which used by financial industries.